Hack Like a Pro: How to Setup a Honeypot and How to Avoid Them

Welcome back, my aspiring hackers!

Those of you who have been reading my tutorials for some time now, know that I am adamant regarding the necessity of learning and using Linux to hack. There is no substitute, period. In this tutorial, though, we will be setting up a system to attrack hackers so we can catch or study them. Since nearly all the hackers around the world are targeting Windows servers for all their known flaws and vulnerabilities, we will be setting up a Windows system to do just that.

A honeypot is a computer system that looks enticing to a hacker. It looks important and vulnerable, enough that the hacker attempts to break in. It is used to entrap hackers and as a way to study the techniques of hackers by the security community. As a hacker, it is important to know that these exist and the risks one bears if you get entrapped in one.

In this tutorial, we will be setting up a honeypot. If you leave it up and running you can observe others hackers practicing their art. In addition, we will do some recon on the honeypot to see what it looks like from the attacker’s perspective. Its important to the hacker to know what these honeypots look like from the outside in order to avoid them and avoid a long prison sentence of hard labor and living on gruel three times a day.

Step 1: Download and Install KFSensor

There are a number of honeypots on the market including honeynet, honeyd, Tiny Honeypot, NetBait, ManTrap and others, but we will be using a commercial honeypot, KFSensor, for Windows. This will enable us to have an authentic Windows system hosting it and we can use our Kali Linux system to do recon on it. One of the things we want to accomplish in this tutorial is to identify ways to detect a honeypot and then run far, far away.

Let’s open a browser and navigate to to www.kfsensor.com

Download and install the software. It is 30 day trial, so we have a month to play with it for free.

Once it is installed, right click on the KFSensor icon and “run as administrator”. You should get a set up wizard like this.

After going through a few more screens in the wizard choosing the defaults, you come to the screen below that allows you to choose the native services. Let’s choose all of them.

Then, choose your domain name. You might want to make it sound enticing. The default is networksforu.com. I made mine www.firstfinanacial.com hoping to make the hacker think it is a financial web site.

Next, you can choose an email address where you want to send the alerts.

Step 2: Choose Options

Finally, we have a few options to choose. Let’s go with the defaults, but note the final option. Here it allows us to capture the packets so that we can analyze the attacks with a tool like Wireshark or other protocol analyzer. It warns you, though, that packet captures can take up a lot of disk space, but if you are trying to catch or study a hacker, its necessary. We’ll leave it disabled for now.

Step 3: Set Up Your Honeypot and Watch

When you have completed the wizard, click Finish and you should have an application that looks like this.

Step 4: Sacn with Nmap

Now that we have our honeypot setup, let’s take the approach of the hacker. Just as if we were doing recon on a potential target, let’s use nmap to scan that system. Let’s do a SYN scan

nmap -sS 192.168.1.102

As you can see, we find numerous ports open. As a hacker, this is a big RED FLAG. Few conmmercial web server would leave all these ports open. Not in 2014!

If we go back to the honeypot, we can see that we set off an alert for a port scan in the purple highlighted area. Remember that a SYN scan does not complete a 3-way handshake, but most IDS’s consider many packets coming in rapid succession from one IP to be a “possible port scan”. This is one reason why it is often advisable to slow your scan down with nmap’s built-in speed controls.

Step 5: Scan with Nikto

Earlier, I showed you how to use nikto to find vulnerabilities in webservers. Let’s use it here against this honeypot.

./nikto.pl -h 192.168.1.102

Our results tell us that this system is a default install of Microsoft’s IIS 7 server. Another RED FLAG that this might be a honeypot.

Step 6: Banner Grab

Lastly, let’s try a banner grab. We can connect with netacat to port 80 and then try to grab the web server banner, if there is one.

nc 192.168.1.102 80

HEAD / HTTP/1.0

As you can see, we were able to grab the banner identifying the webserver as Microsoft’s IIS 7.5

Some Tell Tale Signs of a Honeypot

There is NO single tell tale sign of a honeypot, but there are few things to keep in mind.

The age old adage, “if it is too good to be true, it probably is”, applies as well to hacking. Those sites that seem extraordinarily easy to hack are likely traps.

Look for unusual services and ports open. Most Internet facing systems are stripped of any unnecessary services. If it has lot of unusual services and ports open, these are meant to attract attackers and it may be a honeypot.

Is it a default install, it may be a honeypot

If there is little or no activity, it may be a honeypot

If you see directories with names such a “social security numbers” or credit card numbers, it may be a honeypot.

If you see very little software installed, it may be a honeypot

If there is a lot of free space on the hard drive, it may be a honeypot.

Be careful out there, my aspiring hackers as I want to to keep coming back to Null Byte to refine your skills, rather than sitting in a concrete room. Keep in mind that honeypots are meant to be enticing, but it may be a trap!

source: unlockiphone22.com